Chinese APT TinyRCT Backdoor Targets Southeast Asia Infrastructure

A Chinese-speaking advanced persistent threat (APT) actor tracked as CL-STA-1062 has been linked to a newly discovered custom backdoor called TinyRCT, deployed in a sustained cyber espionage campaign against government entities and state-owned energy enterprises across Southeast Asia. Researchers at Palo Alto Networks Unit 42 report that CL-STA-1062 shares tactical overlap with UAT-7237, a group previously flagged by Cisco Talos in August 2025 for attacks on Taiwanese web infrastructure. Evidence suggests the actor has been active in East Asia since at least March 2022, signaling a long-running, regionally focused operation.

The attackers rely on a hybrid toolkit that blends commodity open-source utilities—SoftEther VPN, Mimikatz, and VNT—with their bespoke malware. Initial access is typically achieved by scanning regional targets for vulnerabilities and planting ASPX web shells on exposed servers, enabling reconnaissance and outbound callbacks to attacker-controlled infrastructure. From there, the operators stage RAR archives containing additional payloads, frequently disguising them as legitimate VMware binaries or XDR agent executables such as "XDRAgent.exe," "vmtools.exe," and "vmwared.exe." In a September 2025 intrusion against a Southeast Asian government entity, the actor deployed a web shell to exfiltrate data from an MS SQL server while simultaneously conducting lateral reconnaissance on a second government agency in the same country.

TinyRCT itself, internally named "PerfWatson2.exe," is a lightweight .NET remote access trojan capable of arbitrary command execution, file enumeration and exfiltration, screen capture, and self-deletion to evade forensic analysis. Between October and December 2025, Unit 42 documented breaches of at least 10 organizations across the region, with stolen assets including entire directories of web server source code. Defenders investigating suspicious outbound traffic or unfamiliar processes on critical systems can use a port scanner to identify rogue listeners and a DNS leak test to detect unexpected resolver activity that may indicate beaconing to adversary infrastructure.

The campaign underscores how state-aligned APT groups continue to weaponize living-off-the-land techniques and trusted open-source tooling to blend into enterprise environments. Security teams are advised to monitor for SoftEther VPN components, SOCKS5 proxies like Yuze, and the TinyRCT file hash on endpoints, while validating exposure of ASPX surfaces. Organizations can also run a privacy checkup to assess their overall attack surface and identify gaps that threat actors like CL-STA-1062 routinely exploit.